Daily Archives: March 25, 2015
JP Morgan Chase. Target. Sony. Each has been part of the growing number of cyber-attacks against private companies around the world in recent years. In the latter two cases, CEOs were forced to resign in the wake of the breach. Attacks are growing more sophisticated and more damaging, targeting what companies value the most: their customer data, their intellectual property, and their reputations.
What these attacks – together with breaches to defense, law-enforcement, and military-contractor networks – reveal is that our cyber-security efforts over the last two decades have largely failed, and fixing this will require the attention not only of security officers and IT teams, but also of boards and CEOs.
Companies need to take a new approach. They can do so by looking at themselves through the eyes of their attackers. In the military this is called turning the map around. The point is to get inside the mind of the enemy, and to see the situation as they do, in order to anticipate and prepare for what’s to come.
Unfortunately, this mindset is still too rare. Despite spending billions of dollars every year on the latest security products and hiring the best security engineers and analysts, companies are more vulnerable than they’ve ever been. Two trends account for this: the rapid convergence of enterprise IT architectures, and the proliferation of increasingly sophisticated adversaries.
Changes in enterprise IT over the past decade mean that every company is now a technology company. By the end of the decade, there will be 50 billion devices connected to the Internet, complicating networks and generating petabytes of data. To add to that, the cloud revolution has finally dissolved perimeters – companies enjoying the benefits of infrastructure as a service must depend upon the security of networks and systems beyond their direct control.
As mobility, the Internet of Things, and the cloud change enterprises, adversaries are also becoming more sophisticated. States and state-sponsored entities spy on and attack private companies, often using military-grade tactics and capabilities. They do this within a system where offense enjoys a structural advantage over defense because attribution is difficult, deterrence is uncertain, and attackers need to succeed only once, but defenders must succeed always.
Most companies try to deal with this chaos by parsing signal from noise. They build walled castles around their most precious assets, but perimeters don’t matter when even the average college student owns seven IP-enabled devices. They rely on automated alerts to tell them when something malicious on their networks matches some previous bad event, but this approach overwhelms them with red flags while remaining blind to new and previously unknown threats.
There’s just too much noise to contend with. Security analysts, for example, may see a thousand incidents in a given day, but only have the time and resources to investigate a fraction of them. This is why hackers were able to exfiltrate over 40 million credit-card numbers from Target, despite the fact that a peripheral network device had detected the malware. It’s also the reason why Neiman Marcus was hacked after its system generated over 60-days’ worth of malware alerts. And this is why Sony was hacked after its IT team knew the company had been under attack for two years.
By turning the map around, executive teams can learn a great deal about their own companies, and better prepare for the inevitable attacks. This is how most companies look from an attacker’s perspective:
Their security is overwhelmingly focused on generic malware detection and protection against automated threats that aren’t being guided with precision.
They don’t have a full picture of what is on their networks, the cloud services they’re using, the applications running on those services, and the security postures of their supply chains and partners. Their IT and security teams are peripheral concerns, costs to be managed rather than centers of excellence that support the core business.
Overall, they are reactive, rather than proactive, in their approach to security.
Each bullet-point above is a weakness that attackers can exploit. This is why companies should learn from attackers in deciding how to defend themselves. Here’s how.
1. Understand your major risks and how adversaries aim to exploit them. If security could be calculated, then adversaries would be the numerator. Companies must understand their unique threatscapes to the greatest possible extent, and generic data are insufficient. Effective security must integrate indicators of compromise (have we been attacked?), tactics, techniques and procedures (how are we being targeted?), identity intelligence (who would target us, and why?), vulnerability intelligence (what is being exploited in the wild?), and attack attribution (is this commodity or targeted?). Only with focused threat intelligence can analysts spend their precious and valuable time investigating the most important incidents, prioritizing those associated with your most formidable adversaries and your greatest business risks. You can go crazy (and broke) trying to play Whack-A-Mole in defense against them all. Instead, identify your most essential assets and focus scarce resources only on those threats that actually pose a risk to your company.
2. Take inventory of your assets and monitor them continuously. If security could be calculated, then inventory would be the denominator. At the simplest level, companies must identify and monitor all of their interconnected assets: is a developer spinning up a thousand virtual machines without your knowledge? What applications are running on the database servers holding your most valuable information? Did an employee connect a new device to your corporate network? Does one of your distant subsidiaries have a new partner? Does your HVAC system connect somehow with your Point of Sale? Periodic assessments, reports that take weeks to prepare, and conclusions that require complex interpretation contribute to gaps in security. Companies must maintain a dynamic, real-time inventory of assets, monitor those assets continuously, and render them visually in way that is simple and intuitive for security and operations teams.
3. Make security a part of your mission. The prevailing approach to security is compliance-focused, cost-constrained, peripheral to the core business, and delegatable by C-suite leaders. Working on a team like that isn’t fun inside any enterprise, and it loses against 21st-century adversaries who know that it’s more fun to be a pirate than to join the Navy. Any defense is only as good as the people doing the defending. The new model of security needs to be about mission and leadership, ensuring that we have the best defenders up against the best attackers. Security is no longer delegable, and the mission of security teams must be synonymous with the mission of the company.
4. Be active, not passive, in hunting adversaries on your network and removing them. The term “active defense” has been tarred as a euphemism for “hacking back,” and companies are ill-advised to go on the offensive: first, it’s illegal to access others’ networks without permission, even if you’re acting in supposed self-defense; and second, it’s just not smart to escalate unless you can dominate, and even the biggest companies will ultimately lose against state or state-sponsored adversaries. So while you cannot go attack the other team on their own turf, you can and increasingly must be active against adversaries inside your own networks. This means assuming not merely that you are under attack, but that your attacker is in, and so you must hunt for a stealthy, persistent human adversary in order to contain and remediate the risk before they can cause damage – dramatically cutting the time between breach and detection from its current average of more than 200 days.
It is easy during these days of frequent and devastating attacks to cry out that the sky is falling, and that the very future of the Internet as a trusted domain of commerce and communication is at stake. But it would be wrong to extrapolate the data points of recent years into a line leading to ruin. Too many of us have too much at stake here, and the combined forces of executives, entrepreneurs, software developers, security teams, and investors all turning the map around can equip us to defend against this next generation of adversaries.
The 27-year-old right-hander is one of only two current Indian players to have beaten Australia in a limited-overs international at the Sydney Cricket Ground, venue for the semifinal on Thursday.
He was playing the 13th of his 134 ODI matches and batting at No. 5 when he scored 66 in a match-turning 123-run partnership with Sachin Tendulkar in a six-wicket win over Australia in Sydney in March 2008. Skipper Mahendra Singh Dhoni also featured in that game, which remains India’s only win at the ground against the Australians in 14 meetings back to 1980.
“It’s been a long time, seven years. I can recall that very well,” he said. “It’s really fresh in my memory because … the great Sachin Tendulkar was batting alongside me, so there is no way I can forget that. It was a very important game.”
It set Sharma him up for prolific record against the top-ranked Australians — he averages 58.7 in 17 ODIs against the Aussies, far superior to his career average of just under 40. He has scored three centuries against the Australians, including 141 not out at Jaipur and 209 at Bangalore in the same series in 2013.
“As a batsman, over the years I’ve learned a lot of things. Certainly batting up the order has changed my game, my approach toward the game and the responsibility,” he said. “I know if I’m batting top of the order there is a huge responsibility and I have to take my team through.
“So every time I go to bat I always think about that. Doesn’t matter if I come on top or not, but at least I do that.”
In the last head-to-head against Australia, he posted 138 in a losing cause at Melbourne in January. The Indians didn’t win a competitive game in Australia for two months leading up to the World Cup, but turned it around at the World Cup, where the defending champions have won seven consecutive matches and bowled out the opposition in every game. Sharma scored a century in the quarterfinal win over Bangladesh, so is coming into form.
Sharma is a dangerous batsman, and capable of getting India away to a rapid start — something that will be needed against four-time champion Australia. And he’s prolific, having set a world record 264 from 173 balls, including 33 boundaries and nine sixes against Sri Lanka last year.
“I think records are there to be broken. I don’t wish my record to be broken. But, look, every batsman would want to hit a big score,” he said in comments translated from Hindi.
“To score 200 runs is not easy, it is a very tough job. Even when I scored 264 I was told (by people) that you should have scored 300. Not just in India, everywhere, people’s expectations are very high.”
With a pro-India crowd at the SCG, and with a spot in the final against New Zealand up for grabs, there’s no doubt he’ll be aiming to score a lot of runs, and quickly, against Australia.
The final is scheduled for Sunday at the Melbourne Cricket Ground.
“WirelessHD promises to revolutionise home entertainment and take it to the next level”
Wires have traditionally been the bane of our increasingly technology-dependant lives for as long as we can remember. While the advancement in tech has reduced cables around us significantly, the quest for a truly wireless world continues unabated. One area where there’s still a large scope of improvement is home entertainment, where, despite the proliferation of Wi-Fi and Bluetooth-enabled products, there are still too many wires around. Whether they’re visible outside or hidden behind walls and panelling is a different question, but the fact is, wired connections are simply much better than alternative wireless technologies, especially when it comes to beaming heavy media content such as high-definition video. Lag is gaming’s biggest enemy, capable of spoiling all the fun. And these are the areas where the new WirelessHD (aka WiHD) standard comes in.
The WirelessHD Consortium is a special interest group that has defined standards for this new technology, and SiBEAM, a subsidiary of Silicon Image (the guys behind connectivity standards like MHL), is one of the companies that have been working extensively on this. WiHD utilises the unlicensed 60GHz band which has the available bandwidth to wirelessly stream lossless HD video and audio. This is different from Wi-Fi, which traditionally uses 2.4GHz or 5.0GHz RF signals. Regular Wi-Fi can only transmit data at 200 to 300Mbps, but full HD uncompressed video requires up to 3Gbps. WirelessHD can offer transmission speeds ranging between 10 to 28Gbps, making it ideal for beaming uncompressed and lag-free videos. And as we mentioned earlier, this is especially beneficial not only for movies, but also for gaming, where lag can play spoilsport.
Apart from beaming lossless 1080p/60fps video, the key features of WiHD include support for varied audio formats and multiple video streams capability for picture-in-picture and single source to multiple displays. The technology simplifies home theatre setup, and also provides the capability to control multiple WirelessHD-enabled devices in the living room with the standard TV remote control. Moreover, it’s supported by global CE and PC manufacturers to ensure interoperability.
WirelessHD devices can be placed within a room, up to 10 meters apart to work, and there’s a whole range of WiHD-capable products already available. Just to give you an idea, these include the Dell Alienware M14x, M17x and M18x gaming laptops, the Epson Powerlite Home Cinema Projector 3020e and 5020Ube, and the Sony Personal 3D Viewer HMZ-T3W. Of special interest to us is the Saygus V2 (first impressions), which is the world’s first smartphone to feature WirelessHD. This means that with the help of this smartphone and a compatible receiver that plugs into the HDMI port of your TV, you can enjoy a lag-free gaming and video viewing experience on the large screen. As we await this technology to reach the masses, we’ll leave with you with a demo video courtesy the guys at Saygus, that showcases exactly how useful it could be.